Method: projects.serviceAccounts.keys.get

Gets a ServiceAccountKey.

HTTP request


The URL uses gRPC Transcoding syntax.

Path parameters



Required. The resource name of the service account key.

Use one of the following formats:

  • projects/{PROJECT_ID}/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
  • projects/{PROJECT_ID}/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

As an alternative, you can use the - wildcard character instead of the project ID:

  • projects/-/serviceAccounts/{EMAIL_ADDRESS}/keys/{KEY_ID}
  • projects/-/serviceAccounts/{UNIQUE_ID}/keys/{KEY_ID}

When possible, avoid using the - wildcard character, because it can cause response messages to contain misleading error codes. For example, if you try to access the service account key projects/-/serviceAccounts/, which does not exist, the response contains an HTTP 403 Forbidden error instead of a 404 Not Found error.

Authorization requires the following IAM permission on the specified resource name:

  • iam.serviceAccountKeys.get

Query parameters


enum (ServiceAccountPublicKeyType)

Optional. The output format of the public key. The default is TYPE_NONE, which means that the public key is not returned.

Request body

The request body must be empty.

Response body

If successful, the response body contains an instance of ServiceAccountKey.

Authorization scopes

Requires one of the following OAuth scopes:


For more information, see the Authentication Overview.


Supported public key output formats.

TYPE_NONE Do not return the public key.
TYPE_X509_PEM_FILE X509 PEM format.
TYPE_RAW_PUBLIC_KEY raw public key.